PCI Requirement 9.6.2 – Send the Media by Secured Courier
Tracking Transferred Media
If your organization transfers media to an off-site location, PCI Requirement 9.6.2 requires that you send the media by a secured courier and through a delivery method that can be accurately tracked. If you use the regular, non-trackable postal service, how do you keep track of your media? How do you know sensitive data hasn’t been lost or stolen? With the amount of secured courier options available today, compliance with PCI Requirement 9.6.2 is an easy way to protect your media.
An assessor will examine records that document how, where, and why media was transferred off site. They might even perform sampling as another way to verify that your organization uses a secured courier and a delivery method that can be accurately tracked.
If you’re going to be transferring media to a third party or off-site location, PCI Requirement 9.6.2 requires that you use some type of secure method for transmitting that information. Really what we’re looking for is that the media can be tracked. If you’re going to be sending it via mail, there needs to be some sort of tracking associated with it. Just sending it in regular mail would not be sufficient. If you’re going to be sending through a secure courier, it must be trackable so that you know where it is at all times. A lot of the back-up organizations that might come pick up or drop off your media have software now that does the tracking for them. At the end of the day, from an assessment perspective, what we’re looking for is that any time you transmit media off-site, whether that be a tape or a box with information in it or anything that would be considered sensitive, it is sent by a secured courier and is trackable.